Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    10 vulnerabilities by tassos.gr

    CVE-2026-48906 (GCVE-0-2026-48906)

    Vulnerability from nvd – Published: 2026-05-27 09:11 – Updated: 2026-06-05 07:27
    VLAI
    Title
    Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla
    Summary
    The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    URL Tags
    https://tassos.gr product
    Credits
    Leandro Vallim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48906",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T12:10:04.491382Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T12:11:19.309Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Novarain/Tassos Framework (plg_system_nrframework)",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-6.0.1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Convert Forms",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-4.4.12"
                },
                {
                  "status": "affected",
                  "version": "5.0.0-5.1.5"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "EngageBox",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-6.3.11"
                },
                {
                  "status": "affected",
                  "version": "7.0.0-7.1.1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Google Structured Data",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-5.6.11"
                },
                {
                  "status": "affected",
                  "version": "6.0.0-6.1.9"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-2.8.12"
                },
                {
                  "status": "affected",
                  "version": "3.0.0-3.1.3"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Smile Pack",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-1.2.6"
                },
                {
                  "status": "affected",
                  "version": "2.0.0-2.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Tassos Code Snippets",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MailChimp Auto-Subscribe",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-5.0.5"
                },
                {
                  "status": "affected",
                  "version": "5.1.0-5.2.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Leandro Vallim"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
                }
              ],
              "value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T07:27:40.844Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://tassos.gr"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework \u003c 6.1.0 for Joomla",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48906",
        "datePublished": "2026-05-27T09:11:40.231Z",
        "dateReserved": "2026-05-26T10:06:17.656Z",
        "dateUpdated": "2026-06-05T07:27:40.844Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21627 (GCVE-0-2026-21627)

    Vulnerability from nvd – Published: 2026-02-20 14:22 – Updated: 2026-02-23 05:07
    VLAI
    Title
    Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla
    Summary
    The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    URL Tags
    https://tassos.gr product
    Credits
    p1r0x / ssd-disclosure.com
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21627",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-20T20:42:52.948106Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-20T20:43:10.027Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Novarain/Tassos Framework (plg_system_nrframework)",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.10.14\u20136.0.37"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Convert Forms",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.2.12\u20135.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "EngageBox",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.0.0\u20137.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Google Structured Data",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.1.7\u20136.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2.0\u20133.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Smile Pack",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0\u20132.1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "p1r0x / ssd-disclosure.com"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."
                }
              ],
              "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T05:07:12.296Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://tassos.gr"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 \u2013 v6.0.37 for Joomla",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-21627",
        "datePublished": "2026-02-20T14:22:14.744Z",
        "dateReserved": "2026-01-01T04:42:27.960Z",
        "dateUpdated": "2026-02-23T05:07:12.296Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-22212 (GCVE-0-2025-22212)

    Vulnerability from nvd – Published: 2025-03-05 15:15 – Updated: 2025-03-14 22:58
    VLAI
    Title
    Extension - tassos.gr - SQL injection in Convert Forms component version 1.0.0-1.0.0 - 4.4.9 for Joomla
    Summary
    A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
    Assigner
    References
    Impacted products
    Credits
    Adam Wallwork
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 2.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22212",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-05T15:57:16.403725Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-05T15:57:19.711Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "com_convertforms",
              "product": "Convert Forms component for Joomla",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-4.4.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Adam Wallwork"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend."
                }
              ],
              "value": "A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-14T22:58:30.568Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.tassos.gr/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22212"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - SQL injection in Convert Forms component version 1.0.0-1.0.0 - 4.4.9 for Joomla",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2025-22212",
        "datePublished": "2025-03-05T15:15:51.874Z",
        "dateReserved": "2025-01-01T04:33:02.765Z",
        "dateUpdated": "2025-03-14T22:58:30.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-40745 (GCVE-0-2024-40745)

    Vulnerability from nvd – Published: 2024-12-04 15:02 – Updated: 2024-12-25 04:34
    VLAI
    Title
    Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla < 4.4.8
    Summary
    Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Credits
    Horizon Security’s Offensive Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-40745",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-04T16:49:50.442949Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-04T16:50:14.735Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "com_osticky",
              "product": "Convert Forms component for Joomla",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-4.4.7"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Horizon Security\u2019s Offensive Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8."
                }
              ],
              "value": "Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-25T04:34:24.527Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.tassos.gr/joomla-extensions/convert-forms"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla \u003c 4.4.8",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2024-40745",
        "datePublished": "2024-12-04T15:02:05.517Z",
        "dateReserved": "2024-07-09T16:16:21.864Z",
        "dateUpdated": "2024-12-25T04:34:24.527Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-40744 (GCVE-0-2024-40744)

    Vulnerability from nvd – Published: 2024-12-04 15:01 – Updated: 2024-12-25 04:34
    VLAI
    Title
    Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla < 4.4.8
    Summary
    Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    tassos.gr Convert Forms component for Joomla Affected: 1.0.0-4.4.7
    Create a notification for this product.
    tassosgr convert_forms Affected: 1.0.0 , < 4.4.8 (custom)
        cpe:2.3:a:tassosgr:convert_forms:*:*:*:*:*:joomla\!:*:*
    Create a notification for this product.
    Credits
    Horizon Security’s Offensive Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:tassosgr:convert_forms:*:*:*:*:*:joomla\\!:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "convert_forms",
                "vendor": "tassosgr",
                "versions": [
                  {
                    "lessThan": "4.4.8",
                    "status": "affected",
                    "version": "1.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-40744",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T17:04:35.515167Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T17:27:11.859Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "com_osticky",
              "product": "Convert Forms component for Joomla",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-4.4.7"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Horizon Security\u2019s Offensive Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8."
                }
              ],
              "value": "Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-25T04:34:33.216Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.tassos.gr/joomla-extensions/convert-forms"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla \u003c 4.4.8",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2024-40744",
        "datePublished": "2024-12-04T15:01:50.739Z",
        "dateReserved": "2024-07-09T16:16:21.863Z",
        "dateUpdated": "2024-12-25T04:34:33.216Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-48906 (GCVE-0-2026-48906)

    Vulnerability from cvelistv5 – Published: 2026-05-27 09:11 – Updated: 2026-06-05 07:27
    VLAI
    Title
    Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla
    Summary
    The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    URL Tags
    https://tassos.gr product
    Credits
    Leandro Vallim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48906",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T12:10:04.491382Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T12:11:19.309Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Novarain/Tassos Framework (plg_system_nrframework)",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-6.0.1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Convert Forms",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-4.4.12"
                },
                {
                  "status": "affected",
                  "version": "5.0.0-5.1.5"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "EngageBox",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-6.3.11"
                },
                {
                  "status": "affected",
                  "version": "7.0.0-7.1.1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Google Structured Data",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-5.6.11"
                },
                {
                  "status": "affected",
                  "version": "6.0.0-6.1.9"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-2.8.12"
                },
                {
                  "status": "affected",
                  "version": "3.0.0-3.1.3"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Smile Pack",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-1.2.6"
                },
                {
                  "status": "affected",
                  "version": "2.0.0-2.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Tassos Code Snippets",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MailChimp Auto-Subscribe",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-5.0.5"
                },
                {
                  "status": "affected",
                  "version": "5.1.0-5.2.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Leandro Vallim"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
                }
              ],
              "value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T07:27:40.844Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://tassos.gr"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework \u003c 6.1.0 for Joomla",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-48906",
        "datePublished": "2026-05-27T09:11:40.231Z",
        "dateReserved": "2026-05-26T10:06:17.656Z",
        "dateUpdated": "2026-06-05T07:27:40.844Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21627 (GCVE-0-2026-21627)

    Vulnerability from cvelistv5 – Published: 2026-02-20 14:22 – Updated: 2026-02-23 05:07
    VLAI
    Title
    Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla
    Summary
    The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    URL Tags
    https://tassos.gr product
    Credits
    p1r0x / ssd-disclosure.com
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21627",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-20T20:42:52.948106Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-20T20:43:10.027Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Novarain/Tassos Framework (plg_system_nrframework)",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.10.14\u20136.0.37"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Convert Forms",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.2.12\u20135.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "EngageBox",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.0.0\u20137.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Google Structured Data",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.1.7\u20136.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.2.0\u20133.1.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Smile Pack",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0\u20132.1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "p1r0x / ssd-disclosure.com"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."
                }
              ],
              "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T05:07:12.296Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://tassos.gr"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 \u2013 v6.0.37 for Joomla",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2026-21627",
        "datePublished": "2026-02-20T14:22:14.744Z",
        "dateReserved": "2026-01-01T04:42:27.960Z",
        "dateUpdated": "2026-02-23T05:07:12.296Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-22212 (GCVE-0-2025-22212)

    Vulnerability from cvelistv5 – Published: 2025-03-05 15:15 – Updated: 2025-03-14 22:58
    VLAI
    Title
    Extension - tassos.gr - SQL injection in Convert Forms component version 1.0.0-1.0.0 - 4.4.9 for Joomla
    Summary
    A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
    Assigner
    References
    Impacted products
    Credits
    Adam Wallwork
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 2.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22212",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-05T15:57:16.403725Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-05T15:57:19.711Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "com_convertforms",
              "product": "Convert Forms component for Joomla",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-4.4.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Adam Wallwork"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend."
                }
              ],
              "value": "A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-14T22:58:30.568Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.tassos.gr/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22212"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - SQL injection in Convert Forms component version 1.0.0-1.0.0 - 4.4.9 for Joomla",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2025-22212",
        "datePublished": "2025-03-05T15:15:51.874Z",
        "dateReserved": "2025-01-01T04:33:02.765Z",
        "dateUpdated": "2025-03-14T22:58:30.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-40745 (GCVE-0-2024-40745)

    Vulnerability from cvelistv5 – Published: 2024-12-04 15:02 – Updated: 2024-12-25 04:34
    VLAI
    Title
    Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla < 4.4.8
    Summary
    Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Credits
    Horizon Security’s Offensive Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-40745",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-04T16:49:50.442949Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-04T16:50:14.735Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "com_osticky",
              "product": "Convert Forms component for Joomla",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-4.4.7"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Horizon Security\u2019s Offensive Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8."
                }
              ],
              "value": "Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-25T04:34:24.527Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.tassos.gr/joomla-extensions/convert-forms"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla \u003c 4.4.8",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2024-40745",
        "datePublished": "2024-12-04T15:02:05.517Z",
        "dateReserved": "2024-07-09T16:16:21.864Z",
        "dateUpdated": "2024-12-25T04:34:24.527Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-40744 (GCVE-0-2024-40744)

    Vulnerability from cvelistv5 – Published: 2024-12-04 15:01 – Updated: 2024-12-25 04:34
    VLAI
    Title
    Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla < 4.4.8
    Summary
    Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    tassos.gr Convert Forms component for Joomla Affected: 1.0.0-4.4.7
    Create a notification for this product.
    tassosgr convert_forms Affected: 1.0.0 , < 4.4.8 (custom)
        cpe:2.3:a:tassosgr:convert_forms:*:*:*:*:*:joomla\!:*:*
    Create a notification for this product.
    Credits
    Horizon Security’s Offensive Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:tassosgr:convert_forms:*:*:*:*:*:joomla\\!:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "convert_forms",
                "vendor": "tassosgr",
                "versions": [
                  {
                    "lessThan": "4.4.8",
                    "status": "affected",
                    "version": "1.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-40744",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T17:04:35.515167Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T17:27:11.859Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "com_osticky",
              "product": "Convert Forms component for Joomla",
              "vendor": "tassos.gr",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0-4.4.7"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Horizon Security\u2019s Offensive Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8."
                }
              ],
              "value": "Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-25T04:34:33.216Z",
            "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
            "shortName": "Joomla"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.tassos.gr/joomla-extensions/convert-forms"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla \u003c 4.4.8",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "assignerShortName": "Joomla",
        "cveId": "CVE-2024-40744",
        "datePublished": "2024-12-04T15:01:50.739Z",
        "dateReserved": "2024-07-09T16:16:21.863Z",
        "dateUpdated": "2024-12-25T04:34:33.216Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }